By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to use a newer CA for the autoscaled Aurora PSQL DB?

0

Hi there.

I noticed that the Aurora reader instances that are added by the autoscaler do not use the newer CA. It always uses the default rsa-ca-2019.

Since I already updated all of my Aurora instances to use "rds-ca-rsa4096-g1", I also want to use the same one for the autoscaled ones. Unfortunately, I can't find any option to do that.

Is there a way to set the autoscaled Aurora instance to use a newer (or specific) CA automatically?

I'm worried about losing the SSL connection once the rsa-ca-2019 get expires later next year. Unexpectedly losing the DB connection is the last thing I want to experience.

Thanks a lot.

Topics
Migration & ModernizationAnalyticsDatabase
Tags
Amazon Relational Database ServiceAurora PostgreSQLAmazon Aurora
Language
English
Yechan
asked 4 months ago146 views
2 Answers
0

Hi,

This is something currently being addressed and at this time, there is no workaround. I went and tested this in my own environment, but at this time the Auto-Scaled instances are using the current default certificate, in which case is still 'rsa-ca-2019'.

AWS
SUPPORT ENGINEER
Kyle_B
answered 4 months ago
  • Yechan
    4 months ago

    Hey. Thanks for the reply. It's unfortunate to hear that there's no workaround.

    If that's the case then are the autoscale-provisioned DB instances gonna automatically use a newer CA once the rsa-ca-2019 expires?

  • Kyle_B SUPPORT ENGINEER
    4 months ago

    Our team's are aware of the potential issue if rsa-ca-2019expires and the auto-scaled instances use these defaults. I would expect a fix before this happens.

0

To set the autoscaled Aurora reader instances to use a specific CA, you can specify the certificate identifier when creating the Aurora global database cluster.

When creating the cluster through the AWS CLI or RDS API, include the --db-cluster-parameter-group-name parameter and specify the parameter group that references the desired CA.

For existing clusters, you can modify the DB cluster parameter group to set the ssl_ca_file and ssl_ca_path parameters to the CA you want to use. Then modify the DB cluster and specify this updated parameter group.

Any new reader instances added through autoscaling will then use this specified CA.

Checking that your application is connecting to the proper reader endpoints is also important to ensure connections are using the expected CA after any upgrades or modifications to the cluster.

https://repost.aws/questions/QUlzw_0nL5SeaeE9u4fJxDiQ/problem-during-update-to-new-ssl-tls-certificates-rds-ca-2019

https://repost.aws/knowledge-center/troubleshoot-connecting-aurora

profile picture
EXPERT
Giovanni Lauria
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content